In late February 2015, I reported an XSS vulnerability in HackerOne itself. This one took advantage of the way the arguments passed to React functions were being validated, tricking React into thinking it was rendering a React element instead of the string that was expected.
At the request of HackerOne, the report was publicly disclosed today.
more here............http://danlec.com/blog/xss-via-a-spoofed-react-element
At the request of HackerOne, the report was publicly disclosed today.
more here............http://danlec.com/blog/xss-via-a-spoofed-react-element